On Fri, Apr 21, 2017 at 4:44 AM,  <n...@apache.org> wrote:
> +    /* A request that has passed through .htaccess has no business
> +     * landing up here.
> +     */
> +    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
> +        return DECLINED;
> +    }
> +

If AllowOverride is enabled for the document root an d an htaccess is
present,  this renders /server-status unreachable, regardless of
what's in the htaccess. If we're going to block this by default, we
might as well just stop configuring it with SetHandler and then the
taint checking is not needed.

We also have in another thread the issue with RewriteRule ... [P] in
htaccess being blocked.  We need some kind of way to express a policy
that will be unique to different handlers.

Eric Covener

Reply via email to